Back to MCP Servers

Semgrep

Scan code for security vulnerabilities, bugs, and anti-patterns using Semgrep static analysis rules

securitysemgrepstatic-analysissastcommunity
By Semgrep
66455Updated 6 months agoPythonMIT

Installation

npx @semgrep/mcp

Configuration

{
  "mcpServers": {
    "semgrep": {
      "command": "npx",
      "args": ["-y", "@semgrep/mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "your-semgrep-token"
      }
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes

README

View on GitHub

⚠️ The Semgrep MCP server has been moved from a standalone repo to the main semgrep repository! ⚠️

This repository has been deprecated, and further updates to the Semgrep MCP server will be made via the official semgrep binary.

<p align="center"> <a href="https://semgrep.dev"> <picture> <source media="(prefers-color-scheme: light)" srcset="images/semgrep-logo-light.svg"> <source media="(prefers-color-scheme: dark)" srcset="images/semgrep-logo-dark.svg"> <img src="https://raw.githubusercontent.com/semgrep/mcp/main/images/semgrep-logo-light.svg" height="60" alt="Semgrep logo"/> </picture> </a> </p> <p align="center"> <a href="https://semgrep.dev/docs/"> <img src="https://img.shields.io/badge/Semgrep-docs-2acfa6?style=flat-square" alt="Documentation" /> </a> <a href="https://go.semgrep.dev/slack"> <img src="https://img.shields.io/badge/Slack-4.5k%20-4A154B?style=flat-square&logo=slack&logoColor=white" alt="Join Semgrep community Slack" /> </a> <a href="https://www.linkedin.com/company/semgrep/"> <img src="https://img.shields.io/badge/LinkedIn-follow-0a66c2?style=flat-square" alt="Follow on LinkedIn" /> </a> <a href="https://x.com/intent/follow?screen_name=semgrep"> <img src="https://img.shields.io/badge/semgrep-000000?style=flat-square&logo=x&logoColor=white?style=flat-square" alt="Follow @semgrep on X" /> </a> </p>

Semgrep MCP Server

Add MCP Server semgrep to LM Studio Install in Cursor Install in VS Code UV Install in VS Code Docker Install in VS Code semgrep.ai PyPI Docker Install in VS Code Insiders Install in VS Code Insiders

A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅

Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️

[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

Contents

Getting started

Run the Python package as a CLI command using uv:

uvx semgrep-mcp # see --help for more options

Or, run as a Docker container:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Cursor

Example mcp.json

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "<token>"
      }
    }
  }
}

Add an instruction to your .cursor/rules to use automatically:

Always scan code generated using Semgrep for security vulnerabilities

ChatGPT

  1. Go to the Connector Settings page (direct link)
  2. Name the connection Semgrep
  3. Set MCP Server URL to https://mcp.semgrep.ai/sse
  4. Set Authentication to No authentication
  5. Check the I trust this application checkbox
  6. Click Create

See more details at the official docs.

Hosted Server

[!WARNING] mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀

Cursor

  1. Cmd + Shift + J to open Cursor Settings
  2. Select MCP Tools
  3. Click New MCP Server.
{
  "mcpServers": {
    "semgrep": {
      "type": "streamable-http",
      "url": "https://mcp.semgrep.ai/mcp"
    }
  }
}

Demo

<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>

API

Tools

Enable LLMs to perform actions, make deterministic computations, and interact with external services.

Scan Code

  • security_check: Scan code for security vulnerabilities
  • semgrep_scan: Scan code files for security vulnerabilities with a given config string
  • semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule

Understand Code

  • get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code

Cloud Platform (login and Semgrep token required)

  • semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API

Meta

  • supported_languages: Return the list of languages Semgrep supports
  • semgrep_rule_schema: Fetches the latest semgrep rule JSON Schema

Prompts

Reusable prompts to standardize common LLM interactions.

  • write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule

Resources

Expose data and content to LLMs

  • semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schema
  • semgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry

Usage

This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.

$ pipx install semgrep-mcp
$ semgrep-mcp --help

Usage: semgrep-mcp [OPTIONS]

  Entry point for the MCP server

  Supports both stdio and sse transports. For stdio, it will read from stdin
  and write to stdout. For sse, it will start an HTTP server on port 8000.

Options:
  -v, --version                Show version and exit.
  -t, --transport [stdio|sse]  Transport protocol to use (stdio or sse)
  -h, --help                   Show this message and exit.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

semgrep-mcp

By default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.

Docker

This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.

Streamable HTTP

Streamable HTTP enables streaming responses over JSON RPC via HTTP POST requests. See the spec for more details.

By default, the server listens on 127.0.0.1:8000/mcp for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.

Python

semgrep-mcp -t streamable-http

By default,

View source on GitHub

You might also like

E2B Code Sandbox
MCP Servers
Supabase Server
MCP Servers
MongoDB Server
MCP Servers